Skip to content

Inital prompt time increase #1528

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
maknop wants to merge 58 commits into
base: main
Choose a base branch
from
Open

Inital prompt time increase #1528

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
58 commits
Select commit Hold shift + click to select a range
6031ec7
Red Hat Konflux update ambient-code-backend-main
Apr 6, 2026
606ce90
Red Hat Konflux update ambient-code-frontend-main
Apr 6, 2026
6c55b40
Red Hat Konflux update ambient-code-operator-main
Apr 6, 2026
f0c83d1
Red Hat Konflux update ambient-code-public-api-main
Apr 6, 2026
27ca356
Red Hat Konflux update ambient-code-ambient-api-server-main
Apr 6, 2026
ecc111f
Red Hat Konflux update ambient-code-ambient-runner-main
Apr 8, 2026
423fe26
Add app-interface overlay for AppSRE platform deployment
wcmitchell Apr 10, 2026
5a526ef
Add OpenShift Templates for AppSRE deployment
wcmitchell Apr 11, 2026
05d3dad
Add app-interface overlay for AppSRE platform deployment
wcmitchell Apr 10, 2026
2cf0e26
fix: correct OpenShift Template objects array format
wcmitchell Apr 13, 2026
c608bd0
refactor: remove in-cluster services from template
wcmitchell Apr 13, 2026
813c4e6
updating postgresql db name
maknop Apr 13, 2026
9d1e6c0
enabling ssl mode for rds
maknop Apr 15, 2026
4c0ee4b
fix: disable OpenTelemetry metrics export in operator
maknop Apr 15, 2026
85b6476
enabling ssl mode for rds
maknop Apr 15, 2026
9b27e17
Add OAuth proxy and SSL/TLS configuration for app-interface overlay
wcmitchell Apr 17, 2026
76e9181
Remove in-cluster services from template-services.yaml
wcmitchell Apr 17, 2026
5fb4711
Fix OAuth proxy configuration to use OpenShift service account auth
wcmitchell Apr 20, 2026
12d027e
Exclude ambient-code-rds secret from services template
wcmitchell Apr 20, 2026
e252262
fix: fix frontent route termination
wcmitchell Apr 20, 2026
b673993
fix: revert https changes for oauth pods
wcmitchell Apr 20, 2026
07c771f
Change TLS termination from reencrypt to edge
wcmitchell Apr 20, 2026
3b12dbc
Change health check scheme from HTTPS to HTTP
wcmitchell Apr 20, 2026
cd29d3e
Update upstream URL to use frontend service
wcmitchell Apr 20, 2026
19cae2a
Enable request logging in OAuth proxy configuration
wcmitchell Apr 20, 2026
eea6dbf
Update OAuth redirect reference for frontend service account
wcmitchell Apr 20, 2026
d8ca236
Update Vertex AI credentials to use app-interface Vault secret
wcmitchell Apr 21, 2026
aca8627
Fix OAuth proxy to pass access token to backend API
wcmitchell Apr 21, 2026
da9e091
Update OAuth proxy configuration options
wcmitchell Apr 21, 2026
59db0de
Remove authorization header setting from template
wcmitchell Apr 21, 2026
f7c264f
updating ambient env to production
maknop Apr 21, 2026
fc506ef
Add pass-user-bearer-token option to template-services.yaml
wcmitchell Apr 21, 2026
88d2738
Update template-services.yaml
wcmitchell Apr 21, 2026
ab195e8
Fix OAuth proxy to forward user tokens to frontend/backend
wcmitchell Apr 21, 2026
bc7a893
Update openshift-delegate-urls configuration
wcmitchell Apr 21, 2026
81be018
removing openshift-delegate-urls
maknop Apr 21, 2026
8409458
Revert "removing openshift-delegate-urls"
maknop Apr 21, 2026
4a337c6
Update openshift-delegate-urls path in template-services.yaml
wcmitchell Apr 22, 2026
f946eb2
Remove scope option from OAuth proxy configuration
wcmitchell Apr 22, 2026
58123c5
chore: Update konflux deps
wcmitchell Apr 22, 2026
3731512
Merge pull request #56 from RedHatInsights/update_rpm_sig_scan_ref
wcmitchell Apr 22, 2026
04290ab
Configure OAuth proxy with IT-provided SSO client credentials
wcmitchell Apr 28, 2026
8e365a1
Remove ClusterRoleBinding from operator template
wcmitchell Apr 30, 2026
fabbc95
Merge pull request #60 from RedHatInsights/oauth_client_updates
wcmitchell Apr 30, 2026
5d31cec
fix(ci): correct Tekton pathChanged glob patterns
wcmitchell Apr 30, 2026
d292964
Merge pull request #62 from RedHatInsights/fix/tekton-path-glob-patterns
wcmitchell Apr 30, 2026
336a759
fix: initialize no-op metrics instruments when OTEL is disabled
wcmitchell Apr 30, 2026
f190ae5
Merge pull request #61 from RedHatInsights/noop_reporter_init_otel
wcmitchell Apr 30, 2026
2af8216
fix: add MLflow CRD permissions to operator ClusterRole
wcmitchell May 1, 2026
f0cafaf
Merge pull request #63 from RedHatInsights/add_mlflow_perms
wcmitchell May 1, 2026
a96106f
fix: add MLflow permissions to agentic-operator ClusterRole
wcmitchell May 4, 2026
9a63f96
Merge pull request #64 from RedHatInsights/add_mlflow_to_operator_clu…
wcmitchell May 4, 2026
93927f7
Add NetworkPolicy permissions to agentic-operator ClusterRole
maknop May 6, 2026
6e294e7
fix: add backend API routing to oauth-proxy upstream
wcmitchell May 6, 2026
622f62f
Merge pull request #65 from RedHatInsights/fix-oauth-proxy-api-routing
wcmitchell May 6, 2026
db6bdd3
fix: remove overly restrictive openshift-delegate-urls check
wcmitchell May 6, 2026
0d7e8c0
Merge pull request #66 from RedHatInsights/fix-remove-oauth-delegate-…
wcmitchell May 6, 2026
a3ede83
increased initial prompt deploy seconds to 10 seconds
maknop May 7, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
585 changes: 585 additions & 0 deletions .tekton/ambient-code-ambient-api-server-main-pull-request.yaml
View file
Open in desktop

Large diffs are not rendered by default.

582 changes: 582 additions & 0 deletions .tekton/ambient-code-ambient-api-server-main-push.yaml
View file
Open in desktop

Large diffs are not rendered by default.

581 changes: 581 additions & 0 deletions .tekton/ambient-code-ambient-runner-main-pull-request.yaml
View file
Open in desktop

Large diffs are not rendered by default.

578 changes: 578 additions & 0 deletions .tekton/ambient-code-ambient-runner-main-push.yaml
View file
Open in desktop

Large diffs are not rendered by default.

585 changes: 585 additions & 0 deletions .tekton/ambient-code-backend-main-pull-request.yaml
View file
Open in desktop

Large diffs are not rendered by default.

582 changes: 582 additions & 0 deletions .tekton/ambient-code-backend-main-push.yaml
View file
Open in desktop

Large diffs are not rendered by default.

585 changes: 585 additions & 0 deletions .tekton/ambient-code-frontend-main-pull-request.yaml
View file
Open in desktop

Large diffs are not rendered by default.

582 changes: 582 additions & 0 deletions .tekton/ambient-code-frontend-main-push.yaml
View file
Open in desktop

Large diffs are not rendered by default.

585 changes: 585 additions & 0 deletions .tekton/ambient-code-operator-main-pull-request.yaml
View file
Open in desktop

Large diffs are not rendered by default.

582 changes: 582 additions & 0 deletions .tekton/ambient-code-operator-main-push.yaml
View file
Open in desktop

Large diffs are not rendered by default.

585 changes: 585 additions & 0 deletions .tekton/ambient-code-public-api-main-pull-request.yaml
View file
Open in desktop

Large diffs are not rendered by default.

582 changes: 582 additions & 0 deletions .tekton/ambient-code-public-api-main-push.yaml
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion components/ambient-api-server/templates/db-template.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ parameters:
description: The name of the OpenShift Service exposed for the database.
displayName: Database Service Name
required: true
value: ambient-api-server-db
value: ambient-code-rds
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot May 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Default DB template name now risks colliding with external RDS secret naming.

Line 17 sets DATABASE_SERVICE_NAME to ambient-code-rds, and this template reuses that value for Service/Deployment/PVC/Secret names. That can conflict with externally managed ambient-code-rds credentials and cause wrong DB host/credentials to be consumed.

Proposed fix 
-    value: ambient-code-rds
+    value: ambient-api-server-db
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
value: ambient-code-rds
value: ambient-api-server-db
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@components/ambient-api-server/templates/db-template.yml` at line 17, The
default DATABASE_SERVICE_NAME value "ambient-code-rds" can collide with
externally managed RDS secrets; change the default in db-template.yml to a
non-colliding name (e.g., "ambient-code-rds-local" or
"ambient-code-rds-template") and update all resource name templates that
reference DATABASE_SERVICE_NAME (Service, Deployment, PVC, Secret) to include a
template-specific suffix or chart identifier so they generate unique names (for
example append "-local" or the chart name to the value used for metadata names)
and ensure any secret names that previously used DATABASE_SERVICE_NAME are also
changed to the new pattern so external secrets aren’t accidentally consumed.


- name: DATABASE_USER
description: Username for PostgreSQL user that will be used for accessing the database.
Expand Down
4 changes: 2 additions & 2 deletions components/manifests/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ manifests/
│ ├── platform/ # Cluster-level resources
│ │ ├── namespace.yaml
│ │ ├── ambient-api-server-db.yml # ambient-api-server PostgreSQL deployment
│ │ └── ambient-api-server-secrets.yml # Secret template (values injected per-env)
│ │ └── ambient-api-server-secrets.yml # Secret template (ambient-code-rds secret for DB)
│ ├── crds/ # Custom Resource Definitions
│ │ ├── agenticsessions-crd.yaml
│ │ └── projectsettings-crd.yaml
Expand Down Expand Up @@ -121,7 +121,7 @@ Components are opt-in kustomize modules included via the `components:` block in
|---|---|---|
| `oauth-proxy` | Adds OpenShift OAuth proxy sidecar to frontend | `production` |
| `postgresql-rhel` | Patches PostgreSQL to use `registry.redhat.io/rhel10/postgresql-16` | `production`, `local-dev` |
| `ambient-api-server-db` | Same RHEL patch for the ambient-api-server's dedicated DB | `production`, `local-dev` |
| `ambient-api-server-db` | RHEL patch for ambient-api-server DB (updates ambient-code-rds secret refs) | `production`, `local-dev` |
| `postgresql-init-scripts` | ConfigMap + volume for DB init SQL (vanilla postgres only) | `kind`, `e2e` |

## Building and Validating
Expand Down
2 changes: 1 addition & 1 deletion components/manifests/base/core/ambient-api-server-service.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -146,7 +146,7 @@ spec:
volumes:
- name: db-secrets
secret:
secretName: ambient-api-server-db
secretName: ambient-code-rds
- name: app-secrets
secret:
secretName: ambient-api-server
Expand Down
5 changes: 3 additions & 2 deletions components/manifests/base/core/operator-deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -136,8 +136,9 @@ spec:
# - name: DEFAULT_INACTIVITY_TIMEOUT
# value: "86400" # Default inactivity timeout in seconds (24h). Set to 0 to disable.
# OpenTelemetry configuration
- name: OTEL_EXPORTER_OTLP_ENDPOINT
value: "otel-collector.ambient-code.svc:4317" # Deploy OTel collector separately
# Disabled: OTel collector not deployed. Uncomment when collector is available.
# - name: OTEL_EXPORTER_OTLP_ENDPOINT
# value: "otel-collector.ambient-code.svc:4317" # Deploy OTel collector separately
- name: DEPLOYMENT_ENV
value: "production"
- name: VERSION
Expand Down
6 changes: 3 additions & 3 deletions components/manifests/base/platform/ambient-api-server-db.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -65,17 +65,17 @@ spec:
valueFrom:
secretKeyRef:
key: db.user
name: ambient-api-server-db
name: ambient-code-rds
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
key: db.password
name: ambient-api-server-db
name: ambient-code-rds
- name: POSTGRES_DB
valueFrom:
secretKeyRef:
key: db.name
name: ambient-api-server-db
name: ambient-code-rds
- name: PGDATA
value: /var/lib/postgresql/data/pgdata
volumeMounts:
Expand Down
2 changes: 1 addition & 1 deletion components/manifests/base/platform/ambient-api-server-secrets.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
apiVersion: v1
kind: Secret
metadata:
name: ambient-api-server-db
name: ambient-code-rds
labels:
app: ambient-api-server
component: database
Expand Down
15 changes: 15 additions & 0 deletions components/manifests/base/rbac/frontend-rbac.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,8 @@ kind: ServiceAccount
metadata:
name: frontend
namespace: ambient-code
annotations:
serviceaccounts.openshift.io/oauth-redirectreference.frontend: '{"kind":"OAuthRedirectReference","apiVersion":"v1","reference":{"kind":"Route","name":"frontend"}}'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
Expand All @@ -28,3 +30,16 @@ subjects:
- kind: ServiceAccount
name: frontend
namespace: ambient-code
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: ambient-frontend-oauth-delegator
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
subjects:
- kind: ServiceAccount
name: frontend
namespace: ambient-code
6 changes: 3 additions & 3 deletions components/manifests/components/ambient-api-server-db/ambient-api-server-db-json-patch.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,17 +11,17 @@
- name: POSTGRESQL_USER
valueFrom:
secretKeyRef:
name: ambient-api-server-db
name: ambient-code-rds
key: db.user
- name: POSTGRESQL_PASSWORD
valueFrom:
secretKeyRef:
name: ambient-api-server-db
name: ambient-code-rds
key: db.password
- name: POSTGRESQL_DATABASE
valueFrom:
secretKeyRef:
name: ambient-api-server-db
name: ambient-code-rds
key: db.name
- op: replace
path: /spec/template/spec/containers/0/volumeMounts
Expand Down
8 changes: 4 additions & 4 deletions components/manifests/components/ambient-api-server-db/ambient-api-server-init-db-patch.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,20 +41,20 @@ spec:
- name: PGHOST
valueFrom:
secretKeyRef:
name: ambient-api-server-db
name: ambient-code-rds
key: db.host
- name: PGUSER
valueFrom:
secretKeyRef:
name: ambient-api-server-db
name: ambient-code-rds
key: db.user
- name: PGPASSWORD
valueFrom:
secretKeyRef:
name: ambient-api-server-db
name: ambient-code-rds
key: db.password
- name: PGDATABASE
valueFrom:
secretKeyRef:
name: ambient-api-server-db
name: ambient-code-rds
key: db.name
2 changes: 1 addition & 1 deletion components/manifests/components/ambient-api-server-db/kustomization.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
apiVersion: kustomize.config.k8s.io/v1alpha1
kind: Component

# Requires: ambient-api-server-db Secret in the target namespace
# Requires: ambient-code-rds Secret in the target namespace

patches:
- path: ambient-api-server-db-json-patch.yaml
Expand Down
51 changes: 23 additions & 28 deletions components/manifests/components/oauth-proxy/frontend-oauth-deployment-patch.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
# Patch for production frontend deployment
# - Adds OAuth proxy sidecar for authentication
# - Adds OAuth proxy sidecar for authentication using OpenShift OAuth
# - Uses service account token for cookie secret (no vault secret needed)
# - Overrides resource limits to prevent OOMKills (sawtooth memory pattern)
apiVersion: apps/v1
kind: Deployment
Expand All @@ -20,19 +21,18 @@ spec:
cpu: 1000m
# OAuth proxy sidecar
- name: oauth-proxy
image: quay.io/openshift/origin-oauth-proxy:4.14
image: registry.redhat.io/openshift4/ose-oauth-proxy-rhel9:v4.18.0-202506230505.p0.gcbd44ad.assembly.stream.el9
imagePullPolicy: IfNotPresent
args:
- --http-address=:8443
- --https-address=
- --https-address=:8443
- --provider=openshift
- --openshift-service-account=frontend
- --upstream=http://localhost:3000
- --client-id=ambient-frontend
- --client-secret-file=/etc/oauth/config/client-secret
- --cookie-secret-file=/etc/oauth/config/cookie_secret
- --cookie-expire=23h0m0s
- --pass-access-token
- --scope=user:full
- --openshift-delegate-urls={"/":{"resource":"projects","verb":"list"}}
- --openshift-delegate-urls={"/api":{"resource":"namespaces","verb":"get","name":"ambient-code","namespace":"ambient-code"},"/federate":{"resource":"namespaces","verb":"get","name":"ambient-code","namespace":"ambient-code"}}
- --tls-cert=/etc/tls/private/tls.crt
- --tls-key=/etc/tls/private/tls.key
- --cookie-secret-file=/var/run/secrets/kubernetes.io/serviceaccount/token
- --upstream-timeout=5m
Comment on lines +34 to +35
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot May 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

find . -type f -name "frontend-oauth-deployment-patch.yaml" -o -name "template-services.yaml" | head -20

Repository: ambient-code/platform

Length of output: 204

🏁 Script executed:

# Let's also check the structure of oauth-proxy related files
find . -type d -name "oauth-proxy" 2>/dev/null

Repository: ambient-code/platform

Length of output: 111

🏁 Script executed:

# Search for oauth-proxy configurations and references
rg "cookie-secret" --type yaml -A 2 -B 2

Repository: ambient-code/platform

Length of output: 2838

🏁 Script executed:

# Look for any oauth-proxy documentation or setup patterns in the codebase
rg "oauth.*secret" -i --type yaml

Repository: ambient-code/platform

Length of output: 2097

🏁 Script executed:

cat -n ./components/manifests/components/oauth-proxy/frontend-oauth-deployment-patch.yaml

Repository: ambient-code/platform

Length of output: 3036

🏁 Script executed:

cat -n ./components/manifests/templates/template-services.yaml | head -100

Repository: ambient-code/platform

Length of output: 3299

🏁 Script executed:

cat -n ./components/manifests/overlays/production/frontend-oauth-patch.yaml

Repository: ambient-code/platform

Length of output: 2660

Use a dedicated Secret for cookie signing instead of the service account token.

The service account token at /var/run/secrets/kubernetes.io/serviceaccount/token rotates on pod/token updates, changing the cookie secret and invalidating active sessions. OAuth-proxy requires a stable signing key across restarts. Adopt the dedicated Secret pattern used in overlays/production/frontend-oauth-patch.yaml and template-services.yaml, which mount a persistent Secret volume.

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@components/manifests/components/oauth-proxy/frontend-oauth-deployment-patch.yaml`
around lines 34 - 35, Replace use of the rotating service account token for
cookie signing by creating and mounting a stable Kubernetes Secret and pointing
the oauth-proxy flag --cookie-secret-file at the secret-backed file instead of
/var/run/secrets/kubernetes.io/serviceaccount/token; update the manifest lines
that currently set --cookie-secret-file and keep --upstream-timeout as-is, add a
volume and volumeMount referencing the new Secret (with the secret key
containing the cookie signing key) so the oauth-proxy process reads a persistent
signing key across restarts.

- --skip-auth-regex=^/metrics
ports:
- containerPort: 8443
Expand All @@ -41,38 +41,33 @@ spec:
httpGet:
path: /oauth/healthz
port: dashboard-ui
scheme: HTTP
initialDelaySeconds: 30
scheme: HTTPS
initialDelaySeconds: 10
timeoutSeconds: 1
periodSeconds: 5
periodSeconds: 10
successThreshold: 1
failureThreshold: 3
readinessProbe:
httpGet:
path: /oauth/healthz
port: dashboard-ui
scheme: HTTP
initialDelaySeconds: 5
scheme: HTTPS
initialDelaySeconds: 10
timeoutSeconds: 1
periodSeconds: 5
periodSeconds: 10
successThreshold: 1
failureThreshold: 3
resources:
requests:
memory: 256Mi
cpu: 50m
memory: 50Mi
cpu: 10m
limits:
memory: 512Mi
memory: 200Mi
cpu: 200m
volumeMounts:
- mountPath: /etc/oauth/config
name: oauth-config
- mountPath: /etc/tls/private
name: proxy-tls
name: frontend-proxy-tls
volumes:
- name: oauth-config
secret:
secretName: frontend-oauth-config
- name: proxy-tls
- name: frontend-proxy-tls
secret:
secretName: dashboard-proxy-tls
secretName: frontend-proxy-tls
4 changes: 3 additions & 1 deletion components/manifests/components/oauth-proxy/frontend-oauth-service-patch.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,10 +1,12 @@
# Patch to add OAuth port to frontend service
# - Adds HTTPS port for OAuth proxy sidecar
# - Uses service.alpha annotation for auto-generated TLS cert
apiVersion: v1
kind: Service
metadata:
name: frontend-service
annotations:
service.beta.openshift.io/serving-cert-secret-name: dashboard-proxy-tls
service.alpha.openshift.io/serving-cert-secret-name: frontend-proxy-tls
spec:
ports:
- port: 8443
Expand Down
21 changes: 21 additions & 0 deletions components/manifests/overlays/app-interface/ambient-api-server-db-secret-patch.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
---
apiVersion: v1
kind: Secret
metadata:
name: ambient-code-rds
labels:
app: ambient-api-server
component: database
annotations:
# External RDS connection managed via Vault secrets from app-interface Phase 2
# These values will be injected by vault-secret-manager from Vault path:
# app-interface/data/ambient-code-platform/stage/rds-credentials
qontract.recycle: "true"
type: Opaque
stringData:
# Placeholders - actual values injected from Vault at runtime
db.host: "VAULT_INJECTED"
db.port: "5432"
db.name: "ambient_code"
db.user: "VAULT_INJECTED"
db.password: "VAULT_INJECTED"
13 changes: 13 additions & 0 deletions components/manifests/overlays/app-interface/ambient-api-server-env-patch.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
# App-interface: set environment to stage
apiVersion: apps/v1
kind: Deployment
metadata:
name: ambient-api-server
spec:
template:
spec:
containers:
- name: api-server
env:
- name: AMBIENT_ENV
value: stage
34 changes: 34 additions & 0 deletions components/manifests/overlays/app-interface/ambient-api-server-route.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
---
apiVersion: route.openshift.io/v1
kind: Route
metadata:
name: ambient-api-server
labels:
app: ambient-api-server
component: api
spec:
to:
kind: Service
name: ambient-api-server
port:
targetPort: api
tls:
termination: reencrypt
insecureEdgeTerminationPolicy: Redirect
---
apiVersion: route.openshift.io/v1
kind: Route
metadata:
name: ambient-api-server-grpc
labels:
app: ambient-api-server
component: grpc
spec:
to:
kind: Service
name: ambient-api-server
port:
targetPort: grpc
tls:
termination: reencrypt
insecureEdgeTerminationPolicy: Redirect
7 changes: 7 additions & 0 deletions components/manifests/overlays/app-interface/ambient-api-server-service-ca-patch.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
# OpenShift service-ca: auto-provision and rotate TLS certs for ambient-api-server
apiVersion: v1
kind: Service
metadata:
name: ambient-api-server
annotations:
service.beta.openshift.io/serving-cert-secret-name: ambient-api-server-tls
52 changes: 52 additions & 0 deletions components/manifests/overlays/app-interface/ambient-api-server-ssl-patch.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
# App-interface (stage): enable SSL for external RDS connection
apiVersion: apps/v1
kind: Deployment
metadata:
name: ambient-api-server
spec:
template:
spec:
# Migration init container: add SSL mode
initContainers:
- name: migration
command:
- /usr/local/bin/ambient-api-server
- migrate
- --db-host-file=/secrets/db/db.host
- --db-port-file=/secrets/db/db.port
- --db-user-file=/secrets/db/db.user
- --db-password-file=/secrets/db/db.password
- --db-name-file=/secrets/db/db.name
- --db-sslmode=require
- --alsologtostderr
- -v=4
# API server container: add SSL mode
containers:
- name: api-server
command:
- /usr/local/bin/ambient-api-server
- serve
- --db-host-file=/secrets/db/db.host
- --db-port-file=/secrets/db/db.port
- --db-user-file=/secrets/db/db.user
- --db-password-file=/secrets/db/db.password
- --db-name-file=/secrets/db/db.name
- --enable-jwt=true
- --enable-authz=false
- --jwk-cert-file=/configs/authentication/jwks.json
- --enable-https=false
- --api-server-bindaddress=:8000
- --metrics-server-bindaddress=:4433
- --health-check-server-bindaddress=:4434
- --db-sslmode=require
- --db-max-open-connections=50
- --enable-db-debug=false
- --enable-metrics-https=false
- --http-read-timeout=5s
- --http-write-timeout=30s
- --cors-allowed-origins=*
- --cors-allowed-headers=X-Ambient-Project
- --enable-grpc=true
- --grpc-server-bindaddress=:9000
- --alsologtostderr
- -v=4
Loading